4 AD Management Tools

It’s hard to believe that we've been living with Active Directory (AD) for 10 years. If you were in IT during the years preceding this huge paradigm shift, you've witnessed the evolution of how Windows domains are administered. Gone are the days of everyone in IT being a domain administrator. Now, domains can have structure and granular security permissions.

With all that capability, however, came the necessity of forethought and careful planning. If you've ever taken over a poorly planned AD implementation, you understand this necessity all too well. And every day, many administrators face the fact that AD encompasses only one of many user-provisioning tasks. Many companies have Exchange, Research in Motion (RIM) BlackBerry devices, Enterprise Resource Planning (ERP) databases, Human Resources (HR) systems, and countless other systems that users need to have access to. Many of you might also be in the middle of security audits. Sarbanes-Oxley (SOX), Statement on Auditing Standard 70 (SAS70), the Health Insurance Portability and Accountability Act (HIPPA), and other regulatory laws have forced us to rethink how we accomplish daily tasks and how we account for who does them.

Each of the four products in this month’s comparative review—Ensim Unify Enterprise Edition, ManageEngine ADManager Plus, NetIQ Directory and Resource Administrator, and Quest Software ActiveRoles Server—attempts to take on one or more of these challenges: setting up granular security permissions, user provisioning on multiple systems, and AD auditing. Some try to do everything out of the box, and others use a modular approach.

Test ParametersTo test each product, I ran through five typical administration tasks that the build-in Microsoft tools either don’t do or don’t do very well. Those tasks are user provisioning (e.g., AD, Exchange, BlackBerry, ERP), Exchange provisioning (e.g., data store based on last name/department), delegation of duties, user de-provisioning a user (e.g., scramble username, reset password, remove from external system), and reporting for audits.

These four products have similar methods for helping you streamline the process of provisioning a new user. If every new user needs to be a member of the ERP Application global group, for example, this feature will be important to you. Another common example of user provisioning is integration with the HR database. Perhaps you'd like AD to be populated with the data from the HR database, or vice versa. Depending on the application, you might need to have a good scripting background to get the most out of this feature.

I installed each product in a typical Windows 2003 Active Directory Doman with Exchange 2003. I used VMware so that I could host multiple servers on one physical machine.

Ensim Unify EnterpriseUnify Enterprise walks you through a helpful “prerequisite check” for your system, then proceeds through a very simple installation routine. The product runs on Windows Server 2008 or Windows Server 2003 and requires IIS, ASP.NET, .NET Framework 2.0, and the SMTP service. Once the installation is complete, a Quick Start guide launches, walking you through some basic steps, such as setting general preferences and notification parameters.

Unify Enterprise has the cleanest GUI of all the products in this review. Through the easy-to-navigate interface, I immediately attempted to create a new user. Doing so led me to want to create a Template User, and in just a few minutes I had nice SpokaneUser and SeattleUser templates. (You can also add users by using a comma separated value—CSV—file.) If your dedicated Help desk staff spends most of its day administering users and computers, this is the interface they'll want to work in.

To help you delegate correct permissions for users, Unify Enterprise includes four built-in roles: System Administrator, Help Desk Administrator, HR Administrator, and Employee. Of course, you can create custom roles, but these four will get you started. For example, the Help Desk Administrator can perform the following tasks: Change and reset passwords, edit user properties, add security groups, and so on.

When a user is deleted from AD, you can set the following events to occur: reset the password to a random string, scramble the logon name, disable the account, move the user object to a special container, and remove the user from all security and/or distribution groups (except for those listed in an exclusion list). Also, the user’s home folder can be automatically archived to another location with the security permissions altered for manager access. The user can then be configured for automatic deletion after a set period of days.

As for reporting, one of the tabs across the top of the web console is the Reports menu. The following reports are available: Usage, Resource Status, Action Logs, and Deleted Items. Each report is quite detailed, but—from an auditing perspective—I found the most useful information in the Action Logs and Deleted Items. Unfortunately, I couldn't find a way to export the reports into a format that I could give to an auditor.

Unify Enterprise takes a modular approach, giving you the functionality to administer only AD out of the box. If you need to provision Exchange Server or another “external” system, you'll need to purchase additional components. Unify Enterprise can be extended to support BlackBerry Enterprise Server, Exchange 2007 or 2003, Google Apps, and Microsoft Office Communication Server (OCS). ManageEngine ADManager Plus The Manage Engine website immediately draws your attention to the company's 90:10 Promise: "90 percent of the features of the Big 4 at 10 percent of the price.” I wondered whether the product could really deliver on that promise. After reviewing the product, I’m not convinced that it does.

I downloaded the 30MB installation file and started the setup process. This was by far the easiest and fastest installation of all of the four products. I needed only to specify the port that I wanted the web server to run on (the default is port 8080).

As with the other products, the main GUI is web-based. However, ADManager can be authenticated with either domain or ADManager Plus authentication. Once you're logged on, a dashboard of canned reports shows you the number of active users, inactive users, disables users, locked out user, and so on. The tabs available across the top are AD Mgmt, AD Reports, AD Delegation, Admin, and Support.

ADManager Plus has a clean layout for adding or modifying user and computer accounts. You can move users one at a time or in bulk through a CSV import. A feature that sets this product apart from the competition is its Bulk User Modification. For example, you can move the Home Folders, disable/enable accounts, or change the dial-in/VPN properties for a group of users. You can also alter Exchange and Terminal Services attributes.

There are multiple built-in roles that can accomplish the most common tasks, such as creating users, resetting passwords, and unlocking users. Alternatively, you can create custom roles with specific rights that can perform custom tasks. I was excited to see a particular right: Create Exchange Mailbox. With this right, I was able to create a Help Desk Technician Role that had the correct permissions to create an Exchange mailbox, even though the user wasn't an Exchange administrator.

ADManager Plus has limited capability for provisioning Exchange above and beyond what you get with the standard Microsoft tools. Whereas some of the other applications can automate the Exchange portion, ADManager can't. Because ADManager Plus can't provision outside AD or Exchange, I focused my testing on the disabling or deleting of user accounts. A Delete policy lets you specify whether a user's Home Folder, Roaming Profile, Terminal Server Home Folder, or Terminal Server Profile should be deleted along with the user account. One important note: I couldn't find a “recycle bin” feature. When an AD object is deleted, it's deleted just as if you removed the object through the built-in Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.

ADManager Plus includes 13 types of reports, including password, Exchange, GPO, OU, and many others. There are even compliance-specific reports, including SOX-, HIPPA-, and PCI-compliance reports. Of all the products in this comparative review, ADManager Plus has the most comprehensive list of available reports. NetIQ Directory and Resource Administrator NetIQ Directory and Resource Administrator has both a web interface for day-to-day administrative tasks, and separate applications for Account and Resource Management and Delegation and Configuration. Like the other products in this review, NetIQ Directory and Resource Administrator is considered a 100 percent proxy model. In other words, “real” AD permissions aren't actually granted to your junior administrators. This is a real advantage if the OU structure of your AD implementation wasn't set up correctly correctly—particularly if the objects you want to grant access to aren't grouped in your OU structure.

This product promotes the notion of powers, which are similar to rights. There are 290 preconfigured powers, and you can also create your own. A simple wizard lets you create a new power over users, groups, computers, contacts, OUs, and published printers. For example, I created a power that allowed the user property EmailAddress to be updated. These powers are then combined to create roles (e.g., Help Desk Administrator). The product's administration website is great for non-technical users, such as managers who have the reset password power, or even for users who have permission to update their personal information (e.g., job title, phone numbers).

Another concept unique to NetIQ Directory and Resource Administrator is automation triggers. A new trigger is created and associated with a UserCreate operation. Once this has been set up in the product's Delegation and Configuration tool, an administrator or Help desk technician can use the web interface to create users, configure Exchange mailboxes, and so on. The interface is simple and well designed.

Summary NetIQ Directory and Resource Administrator PROS: Outstanding auditing and reporting capabilities; simple and well designed interface CONS: Not as intuitive as ActiveRoles Server; heavy use of scripting is required to automate external applications RATING: 4 diamonds PRICE: $1,600 for 100 users RECOMMENDATION: If you need superior auditing and reporting, and are comfortable using VB Script for external automation, NetIQ deserves a look.CONTACT: NetIQ • 888-323-6768 • www.netiq.com

You can also perform Exchange provisioning through the Delegation and Configuration tool. A simple checkbox enables Exchange 2007, 2003, and/or 2000 support. Although this out-of-the-box feature set is pretty basic, NetIQ provides a free Knowledge Script Depot to all its customers. A quick search of the scripts resulted in a script called CreateMailbox_on_Specific_Store.vbs.

With the product's ActiveViews, you can implement delegated authority independent of your AD structure. This is useful if the current OU structure wasn't set up properly or if the areas you want to delegate control of fall outside the scope of your current OU structure. An ActiveView can be a group of just about anything, including users, groups, OUs, contacts, computers, and even resources such as printers, print jobs, shares, and services. Because ActiveViews are dynamic (much like an Exchange query-based distribution list), these views change and grow as your domain changes, with no administrative overhead on your part. I was able to easily create an ActiveView that included all the users from the Spokane, WA office. After you create an ActiveView, another wizard automatically starts, letting you delegate specific control of that view to a group.

To generate a report on any object in AD, you use the Directory and Resource Administrator (not the web interface). This tool lets you query for a specific user or group (or any object) and run a report of changes made to the object or by the object. For example, you might want to know who has altered the Help Desk Administrators group (has someone added a rogue entry?), or you might want to know what this particular group has been doing. I found the reporting to be very granular and detailed enough to make any auditor happy. Quest Software ActiveRoles Server If you've ever used the built-in Delegate Control feature in the Active Directory Users and Computers snap-in, you'll feel right at home in ActiveRoles Server. The product has three default web components: Self Service, Help Desk, and Administrators.

Provisioning a new user in ActiveRoles Server was easily the most user-friendly process of all four products. The built-in policies do a great job of getting you most of the way there. And like the other products, this one requires that you go the rest of the way with scripting. If you're unsure where to begin, Quest has a handy Wiki document full of useful scripts that you can plug directly into ActiveRoles Server.

At one company I've worked with, Help desk technicians aren't allowed to create Exchange mailboxes because of the “risk that they might not create the mailbox in the correct store.” This scenario frustrates the junior technician and wastes the senior engineer’s time. ActiveRoles Server' provisioning and de-provisioning policies help in these kinds of situations.

When a user leaves the company, ActiveRoles Server can take care of the Exchange portion of the task as well, hiding the mailbox from the Global Address List (GAL), granting the user’s manager full access to the user’s mailbox and forwarding all new incoming messages to the manager.

This tool looks and feels the most like AD itself. When you're delegating permissions, you'll find that the ActiveRoles delegation wizard looks and feels almost identical to Active Directory Users and Computers. Also, whereas ActiveRoles is a “proxy” type tool by default (e.g., ActiveRoles Server controls the permissions, not AD), you can sync the permissions that you set up to AD if you want to. This functionality is useful if applications outside ActiveRoles Server—such as an HR database—need to access objects in AD.

Similar to NetIQ with its ActiveViews, ActiveRoles Server has a feature called Managed Units (MUs). An MU is a collection of objects that you want to group together for administration. As in the NetIQ example, this is useful if the domain wasn't designed properly or even if the administrative tasks you want to perform are outside the AD design. For example, your OU structure might be by city or department, with individual managers distributed throughout the structure. An MU could include all the managers in a particular city and then be granted the right to reset passwords.

ActiveRoles Server has robust Exchange provisioning capabilities, including user and group de-provisioning. When de-provisioning a user, you can disable the account, set the username and password to random values, remove the account from security or distribution groups, grant the manager permissions to the user’s home folder, delete the home folder, run a script (PowerShell, VBScript, JScript, or PerlScript) to disable the employee from an HR database, and schedule the account for permanent deletion.

Before the ActiveRoles Server system can be used for reporting, a Data Collector has to be installed on the server first. Another SQL Server database also has to be created to store the data. The process for getting reporting set up in this product was the most complex of all these products. In fact, throughout testing, I couldn't get the reporting to work correctly.

Editor's Choice These products are heads and shoulders above the AD tools that Microsoft ships with Windows Server. However, don't consider them substitutes to proper planning and management! More than once, I found that if I was careless (or sneaky) enough, I could find a way for a Help Desk Technician to escalate his or her privileges and get added to the Domain Administrators group. This isn't a fault of the tools, but they can make it easier to become complacent.

Each of these products worked well and performed their tasks as advertised, but in my opinion, ActiveRoles Server edges out the competition. I appreciate that even though it has a “proxy” model like the other products, the permissions can also be synced to the native AD security structure. The built-in policies to provision and de-provision users immediately subtracts about 30 minutes of busy-work in the typical IT shop when a user is terminated. ActiveRoles Server also has a robust, built-in Workflow module. In the end, ActiveRoles Server simply impressed me the most, regardless of the trouble I experienced with the reporting feature. NetIQ Directory and Resource Administrator ranks a close second, only because ActiveRoles Server has a stronger interface.

AH!!! Eric I was pleasantly reminded that Quest in fact owns Script Logic. I am a fan of Quest and their PosH cmdlets. Which in turn makes me want to check out their offering even more. Great article! Informative and concise as always. Keep up the great work.

Anyone evaluated or have any experience with netwrix active directory change reporter? Were in the process of evaluating both the netwrix tool and the manageegine tool, and were actually leaning towards the netwrix tool because it has better audit capabilities. Anyone have an opinion or experience with these companies?

For sure this a must read for administrators that are still looking at their Active Directory DCs as NT 4.0 boxes. Your article reveals what admins should be looking at. Recently an IT manager installed MSCRM on one of his domain controllers because he thought is wasn't doing much.
I will forward them a link to this article. Seems to me this is a good part of the AD educational process that must be on going. I really like the introduction of the article. Thanks again Eric for all the work involved in this piece.
Curt Spanburgh, MVP.

If you are looking for an AD management tool, you should definitely add Adaxes to your shortlist. I don't really understand why isn't it mentioned in the article. It's really awesome and 100% worth considering.

Microsoft Stack Master Class

Understand the complete Microsoft solution stack, how the products work together, and how to implement and maintain for a total datacenter and desktop solution. This course covers the latest technology updates including Windows Server 2016 and Windows 10 and will enable the new capabilities to be leveraged in your organization.